Konrad Pietrzak

**Name of the Vulnerable Software and Affected Versions** Erlang OTP versions 17.0 through 29.0.1 Erlang OTP version 28.5.0.1 Erlang OTP version 27.3.4.12 **Description** Sensitive data exposure occurs in the `httpc response` module of the inets library. The `httpc` client forwards `Authorization` and `Proxy-Authorization` request headers to redirect targets without verifying if the redirect crosses an origin boundary. Specifically, the `redirect/2` function constructs the redirected request by updating only the host field of the header record, copying all other fields verbatim. Since `autoredirect` is enabled by default, this affects all callers that do not explicitly disable automatic redirects. An attacker controlling a server can issue a cross-origin 3xx redirect to a server they also control, causing the `Authorization` header (including Basic credentials derived from URL userinfo via the `handle user info/2` function) and the `Proxy-Authorization` header to be forwarded, leading to credential theft. **Recommendations** Update Erlang OTP to version 29.0.2, 28.5.0.2, or 27.3.4.13. Set `{autoredirect, false}` in the `httpc:request/4` options and handle redirects manually, stripping the `Authorization` header when the redirect crosses an origin boundary. Ensure that `httpc` is only used to contact trusted servers that will not issue cross-origin redirects.

Name of the Vulnerable Software and Affected Versions Erlang OTP versions 17.0 through 28.4.2, 26.2.5.19, and 27.3.4.10 Description An incorrect authorization issue exists in Erlang OTP (inets modules) that allows unauthenticated access to CGI scripts protected by directory rules when served via `script alias`. This occurs because `mod auth` evaluates directory-based access controls against the `DocumentRoot`-relative path, while `mod cgi` executes scripts at the `ScriptAlias`-resolved path, creating a path mismatch. The affected program files are `lib/inets/src/http server/mod alias.erl`, `lib/inets/src/http server/mod auth.erl`, and `lib/inets/src/http server/mod cgi.erl`. Recommendations Move CGI scripts inside `DocumentRoot` and use `alias` instead of `script alias` to ensure `mod auth` resolves the correct path. Apply URL-based access controls at a reverse proxy layer to block unauthenticated access to the `script alias` URL prefix. Remove `mod cgi` from the httpd modules chain if CGI functionality is not required.

**Name of the Vulnerable Software and Affected Versions** Erlang OTP versions 17.0 through 28.4.1 Erlang OTP versions 26.2.5.18 and 27.3.4.9 inets versions 5.10 through 9.6.1 inets versions 9.1.0.5 and 9.3.2.3 **Description** An inconsistent interpretation of HTTP requests, specifically 'HTTP Request Smuggling', exists in Erlang OTP (inets httpd module). This issue is related to the program files `lib/inets/src/http server/httpd request.erl` and the `httpd request:parse headers/7` routine. The server does not properly handle duplicate Content-Length headers, using the first value encountered for body parsing, while common reverse proxies utilize the last value. This discrepancy violates RFC 9112 Section 6.3 and can lead to front-end/back-end desynchronization, potentially allowing an attacker to inject controlled bytes into the start of subsequent requests. **Recommendations** Update Erlang OTP to a version later than 28.4.1. Update Erlang OTP to a version later than 27.3.4.9. Update Erlang OTP to a version later than 26.2.5.18. Update inets to a version later than 9.6.1. Update inets to a version later than 9.3.2.3. Update inets to a version later than 9.1.0.5.